Putting the spotlight on DevSecOps to avoid security risks

Since its debut in 2008, organisations across industries have discovered the power of DevOps and are taking advantage of greater agility, efficiency and cost-savings associated with the philosophy. The market for DevOps has significantly matured and the approach quickly gained popularity among organisations in Asia Pacific as a solution for improving collaboration between IT development and operations.

The reliance on DevOps has grown amidst COVID-19, with organisations across the globe scrambling to ensure continuity in business operations while their employees and customers work from home. The DevOps software tools market in the region will continue to keep pace with this growth – an IDC report forecasted that the DevOps software tools market in the region will grow exponentially to US$1.4 billion by 2023.

While DevOps – which syncs, organizes, and automates the pace of software development – came to the spotlight for remote operations during the COVID-19 crisis, DevSecOps could potentially become the understudy.

Why is DevSecOps the real hero?

Since its inception, a core element of DevOps has been to deliver value to the customer quickly. But with the new way of working forced by the pandemic and increased demand for fast delivery of reliable applications and digital tools, potential security weaknesses can be introduced or overlooked. This is why DevOps teams are starting to treat the “Sec” component as the hero.

DevSecOps is the philosophy of integrating security testing into every stage of the software development cycle. Currently, many developer teams who are working on tight deadlines, see security as an essential step, however a step that is brought in during the last stages of software or application development. This could potentially mean that the application has a number of vulnerabilities that haven’t been patched at the beginning of the development process, creating opportunities for potential hackers.

Beyond the financial risk of high regulatory non-compliance fines as a result of falling victim to a data breach, every company has a duty to protect the sensitive data of their customers and employees. If they fail to do so, they not only violate the law but, crucially, they put their reputation at stake by compromising trust – a priceless commodity during these difficult times. While implementation of security at different stages of development might initially slow down the application development, it creates a more reliable and sustainable final product with built-in security checks.

Tips to doing DevSecOps well for organisations today 

In practical terms, here are three key steps that teams can take to make DevSecOps the hero in their organisation:

1. Invest in security visibility

Organisational “security visibility” is the ability of IT professionals to control network traffic in an easy-to-monitor format, allowing greater control over the organisation’s network, users, and potential risks. To increase security visibility, businesses should include instrument builds such as a Software Bill Of Materials (SBOM) to capture the dependencies packaged into the app – this puts in a place a system that routinely flags newly disclosed vulnerabilities for the security teams’ attention.  

2. Cultivating security champions

Providing developers and testers with security training to help them understand how they can incorporate security into the design, coding, code reviews and testing of a product. Constant threat modelling sessions can also be done to identify weaknesses in the application design as a team to address architectural weaknesses.

3. Applying automated security testing tools

Automated security testing tools run quicker than manual tests, making them ideal for continuous testing, especially in a work-from-home setting. Static Application Security Testing (SAST) tools and Dynamic Application Security Testing (DAST) tools are complementary automated security testing tools that can spot weaknesses in source code and scan for vulnerabilities while the code executes in a testing environment.

Ultimately, security needs to be a main part of software delivery, even when organisations are faced by the mounting pressure from the users to move along the software implementation pipeline quick during this period. It can be tempting to embrace DevOps, the rising star, quickly while completely overlooking security, organisations need to embrace DevSecOps – especially when attacks are amplified as we work from home. It is time for organisations to let this more reliable, understudy take centre stage.